enterprisesecuritymag

Data-Driven Risk Management

By Ron Mehring, CISO, Texas Health Resources

Ron Mehring, CISO, Texas Health Resources

When I was asked to write an article for CSO Outlook, I pondered what has been the prominent function or activity that has made the biggest difference in the way I lead  information security. By far, it has to be the employment of robust risk management practices that are prioritized and driven by data analytics. The title of this article could very well be, How I learned to stop worrying and love the data.”   Before I get started, I would like to mention three books that I believe should be read by anyone really wanting to become data driven within their information security risk management programs.

Moving towards becoming data driven is critical   to managing risk in highly complex organizations. As   a healthcare security professional I see increasing complexity within the business of healthcare and the underlying architectures. I would even go out on a limb and state that all industries are having the same challenges. This increasing complexity is amplifying the importance   of driving maturity and discipline into organizational   information security risk management activities.

This exponential growth in complexity along with the   increase of high-impact cyber security attacks has created   an environment of uncertainty. This uncertainty is causing corporate boards and executive leaders to ask very tough questions, such as:

• What are our most significant technology risks?
• How much aggregate risk exposure do we have?
• What is the probability we will be attacked?
• What is our loss potential?
• What security investments would reduce risk exposure?
• How much risk should I transfer to insurance?

In most complex organizations and architectures these  questions can be very difficult to answer. I will bet that many of you who are reading this article could easily add many more questions to this list. So how do we begin preparing our security team to answer these difficult questions and reduce uncertainty?  

The Risk Management Team.

One of the first steps in moving toward becoming data   driven is assessing your internal talent. It is highly probable   that your team membersicle could easily add many more quessecurity workflow, process management, policy and   other associated IT security compliance activities. Moving towards becoming data driven will be a very significant   transition for them. These team members will more than   likely not only need training, but also assistance in looking   at security risk management functions through a much   different lens. Some skill areas that should be focused on to support moving toward a data-driven risk management program include:

• Data collection: Team members will need a solid understanding on how to pull and aggregate data from   multiple types of data sources.
• Data Analysis: Team members will require the ability to   create and apply both quantitive and qualitative models. They will need to have a foundational knowledge of mathematics and statistics in particular.
• Data analysis tools: Team members will be  required to learn data analysis tools and languages that will help them effectively gather analysis and present results.
• Reporting and visualization: Once the data is analyzed, it needs to be put into a format that leaders within the  organization can understand. One of the most important aspects of being data driven within risk management is asking a  well-constructed question. Information security team  members will need to understand the difference between  descriptive and exploratory, inferential and predictive  questions. A couple of the more difficult concepts that  I found team members struggle with in creating and  answering data analysis questions are:

• Correlation does not imply causation

• If X predicts Y, it does not mean that X causes Y  Data analysis within complex environments is filled  with unknown dependencies and imperfect information.  Team members will need to be deeply aware of these  concepts. 

Technology Risk Register 

Becoming data driven within your risk management  functions will require some form of internal framework  for housing and managing risk. A popular name for  this approach is the difference between descriptive and  exploratory, information is composed of five risk domains.
• Applications
• Core Systems/Infrastructure
• Medical Devices
• Vendor - 3rd Party
• Project/Development 

These five risk domains house risks, risk analysis,  risk levels, measures, thresholds and targets that provide  context for leaders to effectively manage risk within each  domain.

When a risk threshold is breached, the risk is analyzed  both quantitatively and qualitatively, and moved onto  an enterprise-level risk register. The enterprise level  register is the primary focus of corporate board and  executive leaders as it represents systemic risk or the  potential of catastrophic loss.

Linking Security Operations and  Governance 

One of the keys to an effective risk management program  is linking operational data with risk management data.  Operational data does not directly translate well into  risk management so it must be bridged and associated  with identified risk exposure. A technique I like to use for  bridging is a traceability matrix. This matrix associates  risk and operational data analytical approaches.

Operational: Operational data analytics are focused  on short-term, control-based activities. Operational  data should be considered signaling or surveillance in  nature. These analytics normally are driven into weekly  or monthly reports that answer the following type of  questions:

• How much new critical vulnerability was released?
• How many vulnerabilities are over sixty days?
• Are there any account activity outliers?
• Did we receive a targeted phishing email?
• Was an indicator of compromise triggered? 

Risk Management: Risk management data analytics  are focused on mid to long term programmatic functions  with the purpose of proactively identifying and managing  risk exposure, thresholds and targets. This risk data is  normally published within governance-themed quarterly  reports, and answers questions such as:

• How much aggregate exposure are we carrying within  each risk domain?
• Has breach probability increased?
• Is the security control performing to expectation?
• Have we had an incident that resulted in material harm?
• Do we have any systemic risk?  The matrix takes the two data analysis areas and links  them together into a mutually supporting relationship that  ensures that there is a continuous feedback loop.

 Visualizing Risk 

Visualization is the end state of a data analysis exercise.  Well-designed visualization will serve as the primary  mechanism in helping your corporate board members  and executive leaders understand the risks that need the  most attention within the organization.

• Keep your visualizations simple and ensure they answer  the proposed question.
• Try and use similar visualizations that your leaders are  accustomed to seeing. This will allow leaders to orientate  quickly.
• Do not get too fancy with your visualizations. Histograms  and scatter plots still work well in most data analysis use  cases.
• Always provide a short, descriptive analysis to support  your visualization.

Moving toward data-driven risk management within  your information security program is not something you  will accomplish in a month or even a year. Pace your  team and start off with small and focused data analysis  use cases. Within no time, you too will be able to stop  worrying and love the data.